Rekall Memory Forensics
Transcription
Rekall Memory Forensics
Rekall Memory Forensics Michael Cohen mic@google.com What is Rekall? ● An advanced memory analysis solution. ○ Historically a fork of the Volatility memory analysis framework ● Most code re-written/updated. ○ Fully open source and GPL - all commits are public. ○ Focus on: ■ code quality - public code reviews. ■ performance. ■ ease of use as a library - Integrated into other tools. Rekall is integrated in GRR: Remote memory forensics at scale. How is it different from X? ● Other memory forensic frameworks rely on guessing global symbols through signature scanning. ● Rekall uses a different design philosophy: ○ Exact symbol information for the analyzed system ■ e.g. Fetch from Microsoft Symbol Server. ○ Store profiles in a public profile repository ■ Rekall fetches the required profile at runtime. ● We have an index of kernel profiles. ■ We have over 200 different kernels in the public repository. How is it different from X? ○ This means we do not need to guess or try to deduce global symbols. ■ This makes Rekall much faster, more efficient and more accurate. ■ For example, Rekall does not use the Kernel Debugger Block ● This can easily be overwritten by malware. Or newer versions of Windows. ■ This is similar to the way the kernel debugger works - much more reliable. How is it different from X? ● Rekall distributes and supports a complete memory acquisition solution. ○ We have synergy between acquisition and analysis. ○ Support all major operating systems: ■ Windows - Winpmem tool. ■ Linux - pmem tool + LMAP tool (No need to precompile on target system). ■ OSX - OSXPmem tool (supports 10.9.4+). ○ Rekall acquisition tools allow for live system analysis (Triaging etc). The Rekall User interfaces ● Rekall has 3 user interfaces: ○ Command line - single shot, run and exit. ○ Interactive console - IPython based (text only). ○ Webconsole - most powerful. ● The same plugin works in all environments! ○ Writing a plugin is easy ■ One does not need to think about output formatting - the framework does it all! Text Interactive Console ● ● ● Fast and efficient Great for interactively exploring data types. Great for scripting complex analysis (no need to write plugin). The Rekall Web Console interface A GUI is not just a pretty thing! ● The Rekall Webconsole GUI helps drive analysis by: ○ Allowing the user to annotate her analysis ■ Notebook interface creates a mini "report" format. ■ Hides/Compacts long analysis to improve document flow. ○ Persistent file storage allows results to be managed and shared (based on Zip files). ○ Rekall files contain plugin output in JSON format ■ Machine readable - can be exported Markdown Comments intersperse analysis. Context Sensitive Actions Context aware plugin arguments allow customized UI Can Launch any Rekall plugins from UI. Context sensitive Actions can analyze in a modal box - for quick drilling. Dumped files are also persistent in the Rekall file. Plugins that dump files can produce a zip file. Analysis files can be restored at will. The UI works directly with the analysis file so no need to "save" the document. It is possible to download a current snapshot of the document at any time (e.g. for backup). The Rekall file is just a zip file which can be viewed/processed. Each cell is a directory in the file. What makes it work? ● The UI uses Rekall's data export facility. ○ Rekall exports structured, semantically aware data: Rekall uses Cybox "like" format to $ rekal -v -f ~/images/win7.elf pslist -r data | json_pp "_EPROCESS" : { describe higher level objects in JSON. ... "Cybox" : { "Image_Info" : { "Path" : "C:\\Windows\\system32\\csrss.exe", "File_Name" : "\\Device\\HarddiskVolume2\\Windows\\System32\\csrss.exe", "type" : "ProcessObj:ImageInfoType", "Command_Line" : "%SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv: UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16" } Rekall Export System ● Rekall has a rich and highly customizable export system ○ Output format chosen by "Renderer" ■ Text renderer is default. ■ Data Export renderer produces rich JSON (used by the UI). ■ XLS renderer produces Excel sheets. ○ If we can make the GUI work with the exported data, any application can work with it! ■ This means you do not have to use Rekall as a library. Can be part of arbitrary pipeline. http://www.rekall-forensic.com/ Sorry, Quaid. Your whole life is just a dream. See you at the party, Richter!